duo filter breaks Atlassian application links

[adamleff]

The duo filter for confluence/jira appears to break application links as the API calls between the two applications looks to still be subject to Duo authentication.

Example: when displaying a confluence page with a JIRA Issue included with the JIRA Issue macro, the issue is not displayed, and the following error is displayed in the Confluence log:

Caused by: java.net.URISyntaxException: Illegal character in query at index 66: https://jira.webmd.net/plugins/servlet/duologin?duo. request.key=[...redacted...]

I do not expect this to be an issue with the code itself but rather documentation on how to exclude application-link-related traffic from the duo filter.

[kra]

Hi Adam, is this with Duo installed for Confluence, Jira, or both?

You're visiting a Confluence page, and a widget is making an API call to Jira at jira.webmd.net, but the error is showing up in the Confluence log. So Jira isn't complaining, Confluence doesn't like either the URL or the response. Correct?

Are you using the most recent version (plugin version shows 1.3, filter shows 1.2)? The current version uses the session in some places where earlier versions used URL parameters, so if you haven't updated it, it might help.

Have you authenticated with both Confluence and Duo when this happens? Does it still happen after you've authenticated - that is, if you can visit an unaffected Confluence page that requires auth, and then manually go to an affected page by entering its URL in your browser's address bar, does the error occur?

[adamleff]

Karl-

Duo is installed on both JIRA and Confluence. I was authenticated in both, but the particular URL that was impacted was Confluence calling JIRA (most likely via the OAuth mechanism) to display JIRA macro details in a Confluence page. The error provided was from Confluence as it received the redirect to the Duo auth that it was unexpecting - calls from Confluence to JIRA (and vice verse) need to be exempt from Duo authentication.

And yes, I am using the most recent version. It was installed directly from the GitHub master tarball downloaded on Tuesday.

Thanks, ~Adam

[kra]

Adam, you're right, an API call must be exempt from Duo authentication in order to work. Without a session, it will return a redirect, and Duo authentication state is not stored outside of a session (in this case, an OAuth token doesn't indicate Duo authentication state).

You can't currently exempt application-specific traffic from Duo authentication, but you can exempt URLs and directories of URLs. This may or may not be a usable solution for you, since any requests of those URLs will not require a second factor. If an OAuth token is required to use the API, and Confluence won't give out an OAuth token without authenticating the user, then this will be fine. But if the API accepts a username and password, then these calls would not be protected.

URLs and directories can be exempted by adding an init param to the filter configuration in web-xml, as set up in:

https://www.duosecurity.com/docs/confluence#configure-confluence

To do this, add an unprotected.dirs param to the web.xml file for JIRA, and restart. The value should contain space-separated absolute paths for URLs. You must include the '/download/resources/com.duosecurity.confluence.plugins.duo-twofactor:resources/' path - Duo authentication can't complete without it.

For example:

<filter>
    <filter-name>duoauth</filter-name>
    <filter-class>com.duosecurity.seraph.filter.DuoAuthFilter</filter-class>
    <init-param>
        <param-name>ikey</param-name>
        <param-value>...</param-value>
    </init-param>
    <init-param>
        <param-name>skey</param-name>
        <param-value>...</param-value>
    </init-param>
    <init-param>
        <param-name>akey</param-name>
        <param-value>...</param-value>
    </init-param>
    <init-param>
        <param-name>host</param-name>
        <param-value>...</param-value>
    </init-param>
    <init-param>
        <param-name>unprotected.dirs</param-name>
        <param-value>/download/resources/com.duosecurity.confluence.plugins.duo-twofactor:resources/ /jira/rest/api/resource/foo /jira/rest/api/resource/bar</param-value>
    </init-param>
</filter>